Pages

Daily Tech Digest - August 03, 2017

Certainly, compliance frameworks and programs help to establish the minimum standards for security and give a company a checkmark during audits, but frameworks and programs often fail to protect a company from breaches. Having frameworks and programs will not be sufficient if they do not reflect real-world dynamics and fail to provide needed monitoring, detection, responses, or protection. ... Only a fifth of respondents would invest in mitigating financial loss, and just 22 per cent would invest in cybersecurity training. ... Protecting a company requires an end-to-end approach that considers threats across the spectrum of the industry-specific value chain and the company’s ecosystem. Business exposure needs to be identified and minimized, with a focus on protecting priority assets.

As enterprises get better about encrypting network traffic to protect data from potential attacks or exposure, online attackers are also stepping up their Secure Sockets Layer/Transport Layer Security (SSL/TLS) game to hide their malicious activities. In the first half of 2017, an average of 60 percent of transactions observed by security company Zscaler have been over SSL/TLS, the company’s researchers said. The growth in SSL/TLS usage includes both legitimate and malicious activities, as criminals rely on valid SSL certificates to distribute their content. Researchers saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain. “Crimeware families are increasingly using SSL/TLS,” said Deepen Desai, senior director of security research at Zscaler.

Today, mobile devices are coming under increasing attack – and no one is immune. Some 20 percent of companies surveyed by Dimensional Research for Check Point Software said their mobile devices have been breached. A quarter of respondents didn’t even know whether they’ve experienced an attack. Nearly all (94 percent) expected the frequency of mobile attacks to increase, and 79 percent acknowledged that it’s becoming more difficult to secure mobile devices. “They’re starting now to become more aware of the possible impact,” says Daniel Padon, mobile threat researcher at Check Point. “Real, state-level malware and the capability of such malware, together with large campaigns affecting millions and millions of devices, such as Gooligan and Hummingbad, are just the tip of the iceberg.”

As showcased at Siggraph, by using a deep learning neural network—run on Nvidia's costly eight-GPU DGX-1 server, naturally—Remedy was able to feed in videos of actors performing lines, from which the network generated surprisingly sophisticated 3D facial animation. This, according to Remedy and Nvidia, removes the hours of "labour-intensive data conversion and touch-ups" that are typically associated with traditional motion-capture animation. Aside from cost, facial animation, even when motion captured, rarely reaches the same level of fidelity as other animation. That odd, lifeless look seen in even the biggest of blockbuster games often came down to the limits of facial animation. Nvidia and Remedy believe its neural network solution is capable of producing results as good, if not better, than what's produced by traditional techniques.

Its features include: An emphasis on making it easier to build progressive web apps, so apps can be cached in the browser; A build optimizer that makes the application smaller by eliminating unnecessary code. and Making Material Design components compatible with server-side rendering. The progressive web apps concept, the product of a joint effort between Google and Mozilla, is about enabling development of browser-based apps that offer a superior, native-like experience. Supporting progressive web apps in Angular today requires a lot of expertise on the developers’ part; version 5 is intended to make usage easier. “We’re shooting to try and make progressive web apps something that everyone would use,” said Brad Green, a Google engineering director.

As the cybercrime landscape continues to evolve, methods of policing it must change as well. The increasing number of cyber attacks propagated by everyone from nation-state actors to average criminals is blurring lines between cybersecurity and public safety, ultimately causing a shift in the role of government and law enforcement in protecting against these threats. Verizon's 2017 Data Breach Investigations Report notes, "In addition to catching criminals in the act, security vendors, law enforcement agencies and organizations of all sizes are increasingly sharing threat intelligence information to help detect ransomware (and other malicious activities) before they reach systems." Using their own behind-the-scenes collaboration venues, threat actors have also become increasingly well armed and well informed.

Unfortunately, those caught in the middle of the storm are able to understand it more profoundly than the observers. While there was unprecedented large-scale impact due to the recent ransomware, it was minuscule compared to the computer infrastructure of the world. Which means that the majority of individuals and organisations would continue to remain unaware of the need for steps they should take to build an optimal cyber defence against cyber threats. That is the biggest bane of the cyber security industry and profession. The second observation is that the organisations that were impacted are building and strengthening controls around the risks of the recent ransomware attacks. That is important, but when you build cyber defence, you should consider all the possible risks to your business and build a security programme that works on mitigating these risks comprehensively.

Collaboration software can enable organizations to plan for crises and emergencies, said Michelle Vincent, collaboration and training officer for information services at Mercy Ships. The organization uses private hospital ships to provide free surgeries to residents of developing nations. Mercy Ships uses HipChat “to connect our various stakeholders during crisis drills,” Vincent said. “Hopefully, we'll never have a fire or other such emergency on the ship. But we rely on drills to keep us ready, and HipChat is a useful tool to keep us connected in real time for that purpose.” Emergency drills on the ship are performed almost every week, Vincent said, while a crisis management team’s drills involving multiple locations usually take place every quarter.

The fact that physical access is required makes it unlikely it will happen to your Echo. It also works only on 2015 and 2016 editions of Amazon Echo devices, as they had a rubber base that can be popped off to reveal 18 debug pads. Neither the 2017 Echo model, nor the Amazon Dot, are vulnerable. If a knowledgeable attacker did have access to an older Echo, Barnes noted that rooting it is “trivial.” After rooting the Echo, the researchers wrote a script to continuously grab the raw microphone audio data. Barnes called the physical access requirement a “major limitation.” The how-to is out there now, so maybe that should give you pause before you purchase a second-hand Echo.

Nowadays, with the help of cryptography, verification of remote (cloud) data is performed by third-party auditors (TPAs).2TPAs are also appropriate for public auditing, offering auditing services with more powerful computational and communication abilities than regular users.3 In public auditing, a TPA is designated to check the correctness of cloud data without retrieving the entire dataset from the CSP. However, most auditing schemes don’t protect user data from TPAs; hence, the integrity and privacy of user data are lost.1 Our research focuses on cryptographic algorithms for cloud data auditing and the integrity and privacy issues that these algorithms face. Many approaches have been proposed in the literature to protect integrity and privacy; they’re generally classified according to data’s various states: static, dynamic, multiowner, multiuser, and so on.

Quote for the day:

"You're not always going to be successful, but if you're afraid to fail, you don't deserve to be successful." -- Charles Barkley